How mobile phones beat PCs
A few years ago, security experts thought you'd be crazy to access an online bank account from a mobile phone.
Mobile Web browsers hid URLs, making it easy for cybercriminals to impersonate banking sites. The Wireless Application Protocol mobile-Web standard offered limited security. Even after the introduction of smartphones, banks' stand-alone apps were often poorly designed.
"We've seen a few examples where it became clear the mobile finance apps didn't quite receive the same level of security scrutiny as their traditional counterparts," Roel Schouwenberg, a senior researcher at Kaspersky Lab, stated in a TechNewsDaily article as recently as May 2012.
The tide has turned. Experts now say mobile devices may actually be safer to use than computers for online banking, in part because malicious software can be downloaded to a computer without a user knowing it, unless the computer is running some of the best antivirus software.
Drive-by downloads, which attack Web browsers, and emailed attachments are perfect vectors for banking Trojans to infect Windows PCs.
The Trojan hides in the browser until the user logs into his or her online bank account. The the malware steals the login credentials and moves money out of the account.
On a mobile device, secretly installing software is much harder to do, as long as the device hasn't been "rooted" or "jailbroken" to let the user run privileged commands and install unauthorized software.
Why mobile applications are safer
As long as they're using encrypted Wi-Fi or a cellular data connection, mobile customers usually don't need to worry about malware hijacking their online-banking sessions. (Mobile banking Trojans do exist, but so far they only assist their desktop variants by stealing two-factor login authentication codes.)
"No online banking is completely safe, period," said Clay Calvert, director of cybersecurity for MetroStar Systems, an IT consulting firm in Reston, Va. "However, unrooted tablets and cellphones are much safer than using PCs for banking."
"The primary reason for this," Calvert said, "is that applications are vetted [by Apple and Google] before they're sent to the app store and made available for download.
"Apple and Google specifically look for malicious behavior built into apps that are submitted by developers," he said, "and will reject anything that presents potential security risks."
Greg Hughes, an information-security officer with Brookfield, Wis.-based financial-technology provider Fiserv, agreed with Calvert.
"Within the last year," Hughes said, "Google has made changes to improve the way it scans and reviews apps that are submitted and distributed through its Google Play app store, and has enhanced the criteria under which they will release apps from a security configuration perspective."
"Recent changes in the Jelly Bean release [in 2012] included clearer app permissions, a new app-verification service to enhance security, encryption improvements and other enhancements," Hughes added.
However, non-rooted Android devices can still be put in danger. Users who seek free or discounted apps from sources other than the official Google Play store run the risk of being infected by corrupted apps, which are easy to create.
To avoid this, go into the Settings menu, select Security and make sure "Unknown sources" is left unchecked.